Merge pull request #205 from sapcc/tls-cert-key

`fromEnv` syntax for Swift options and TLS client auth

Author: talal

CHANGELOG.md

@@ -1,3 +1,12 @@
+# v2.10.0 (2023-02-28)
+
+New features:
+- Add support for specifying TLS client certificate and key file.
+- Add `{ fromEnv: ENV_VAR }` syntax support for all Swift options.
+
+Changes:
+- Updated all dependencies to their latest versions.
+
 # v2.9.1 (2022-05-25)
 
 Bugfixes:

README.md

@@ -1,10 +1,11 @@
 # swift-http-import
 
 * [Why this instead of rclone?](#why-this-instead-of-rclone)
-* [Do NOT use if...](#do-not-use-if)
+* [Do NOT use if\.\.\.](#do-not-use-if)
 * [Implicit assumptions](#implicit-assumptions)
 * [Installation](#installation)
 * [Usage](#usage)
+  * [Specifying sensitive info as environment variables](#specifying-sensitive-info-as-environment-variables)
   * [Alternative authentication options](#alternative-authentication-options)
   * [Source specification](#source-specification)
     * [Yum](#yum)
@@ -106,8 +107,13 @@ jobs:
       object_prefix: ubuntu-repos
 ```
 
-The first paragraph contains the authentication parameters for OpenStack's Identity v3 API. Optionally a `region_name`
-can be specified, but this is only required if there are multiple regions to choose from.
+The first paragraph contains the authentication parameters for
+OpenStack's Identity v3 API. Optionally a `region_name` can be specified, but this is only
+required if there are multiple regions to choose from. You can also specify the `tls_client_certificate_file` and `tls_client_key_file` for creating a TLS client.
+
+You can use the `fromEnv` special syntax for the `to.container`, `to.object_prefix`, and
+the Swift fields (options under the `swift` key).
+See [specifying sensitive info as environment variables](#specifying-sensitive-info-as-environment-variables) for more details.
 
 Each sync job contains the source URL as `from.url`, and `to.container` has the target container name, optionally paired with an
 object name prefix in the target container. For example, in the case above, the file
@@ -124,6 +130,21 @@ ubuntu-repos/pool/main/p/pam/pam_1.1.8.orig.tar.gz
 
 The order of jobs is significant: Source trees will be scraped in the order indicated by the `jobs` list.
 
+### Specifying sensitive info as environment variables
+
+For some config fields, instead of specifying the value as plain text, you can use the
+special `fromEnv` syntax to read the respective value from an exported environment
+variable.
+
+For example, instead of specifying the `swift.password` as plain text, you can use the
+following syntax to retrieve the password from the `OS_PASSWORD` environment variable:
+
+```yaml
+swift:
+  password: { fromEnv: OS_PASSWORD }
+  ...
+```
+
 ### Alternative authentication options
 
 Instead of password-based authentication, [application credentials][app-cred] can also be used, for example:
@@ -139,13 +160,6 @@ jobs: ...
 
 [app-cred]: https://docs.openstack.org/python-openstackclient/latest/cli/command-objects/application-credentials.html
 
-Instead of providing your secret credentials as plain text in the config file, you can use a special syntax for the
-`password` field or the `application_credential_secret` field to read the respective password from an exported
-environment variable:
-
-```yaml
-password: { fromEnv: ENVIRONMENT_VARIABLE }
-```
 
 ### Source specification
 
@@ -254,8 +268,8 @@ Since GitHub's API rate limits the number of requests per IP therefore it is
 field. Refer to the [GitHub API docs](https://docs.github.com/en/rest/overview/resources-in-the-rest-api#rate-limiting)
 for more info on its rate limiting. This field is **required** if the repository is hosted on a Github Enterprise instance instead of `github.com`.
 Instead of providing your token as plain text in the config file, you can use the
-`fromEnv` special syntax for the `jobs[].from.token` field. See [Alternative
-authentication options](#alternative-authentication-options) for more details.
+`fromEnv` special syntax for the `jobs[].from.token` field. See
+[specifying sensitive info as environment variables](#specifying-sensitive-info-as-environment-variables) for more details.
 
 If a repository publishes GitHub releases using different tags, e.g. server components at
 `server-x.y.z` and client at `client-x.y.z`, and you only want to get releases whose tag
@@ -301,6 +315,10 @@ jobs:
       object_prefix: ubuntu-repos
 ```
 
+For defining Swift options, you can use the `fromEnv` special syntax for all the fields
+under the `from` key instead of specifying these fields as plain text. See
+[specifying sensitive info as environment variables](#specifying-sensitive-info-as-environment-variables)
+
 ### File selection
 
 #### By name

pkg/objects/config.go

@@ -28,6 +28,7 @@ import (
 	"github.com/majewsky/schwift"
 	yaml "gopkg.in/yaml.v2"
 
+	"github.com/sapcc/go-bits/secrets"
 	"github.com/sapcc/swift-http-import/pkg/util"
 )
 
@@ -74,10 +75,11 @@ func ReadConfiguration(path string) (*Configuration, []error) {
 	//across all Debian/Yum jobs.
 	var gpgCacheContainer *schwift.Container
 	if cfg.GPG.CacheContainerName != nil && *cfg.GPG.CacheContainerName != "" {
+		cntrName := *cfg.GPG.CacheContainerName
 		sl := cfg.Swift
-		sl.ContainerName = *cfg.GPG.CacheContainerName
+		sl.ContainerName = secrets.FromEnv(cntrName)
 		sl.ObjectNamePrefix = ""
-		err := sl.Connect(sl.ContainerName)
+		err := sl.Connect(cntrName)
 		if err == nil {
 			gpgCacheContainer = sl.Container
 		} else {
@@ -277,7 +279,7 @@ func (cfg JobConfiguration) Compile(name string, swift SwiftLocation) (job *Job,
 			errors = append(errors, fmt.Errorf("missing value for %s.segmenting.segment_bytes", name))
 		}
 		if cfg.Segmenting.ContainerName == "" {
-			cfg.Segmenting.ContainerName = cfg.Target.ContainerName + "_segments"
+			cfg.Segmenting.ContainerName = string(cfg.Target.ContainerName) + "_segments"
 		}
 	}
 

pkg/objects/github.go

@@ -38,11 +38,11 @@ import (
 
 type GithubReleaseSource struct {
 	// Options from config file.
-	URLString         string               `yaml:"url"`
-	Token             secrets.AuthPassword `yaml:"token"`
-	TagNamePattern    string               `yaml:"tag_name_pattern"`
-	IncludeDraft      bool                 `yaml:"include_draft"`
-	IncludePrerelease bool                 `yaml:"include_prerelease"`
+	URLString         string          `yaml:"url"`
+	Token             secrets.FromEnv `yaml:"token"`
+	TagNamePattern    string          `yaml:"tag_name_pattern"`
+	IncludeDraft      bool            `yaml:"include_draft"`
+	IncludePrerelease bool            `yaml:"include_prerelease"`
 
 	// Compiled configuration.
 	url       *url.URL       `yaml:"-"`

pkg/objects/swift.go

@@ -20,6 +20,7 @@
 package objects
 
 import (
+	"crypto/tls"
 	"fmt"
 	"io"
 	"net/http"
@@ -39,18 +40,20 @@ import (
 // SwiftLocation contains all parameters required to establish a Swift connection.
 // It implements the Source interface, but is also used on the target side.
 type SwiftLocation struct {
-	AuthURL                     string               `yaml:"auth_url"`
-	UserName                    string               `yaml:"user_name"`
-	UserDomainName              string               `yaml:"user_domain_name"`
-	ProjectName                 string               `yaml:"project_name"`
-	ProjectDomainName           string               `yaml:"project_domain_name"`
-	Password                    secrets.AuthPassword `yaml:"password"`
-	ApplicationCredentialID     string               `yaml:"application_credential_id"`
-	ApplicationCredentialName   string               `yaml:"application_credential_name"`
-	ApplicationCredentialSecret secrets.AuthPassword `yaml:"application_credential_secret"`
-	RegionName                  string               `yaml:"region_name"`
-	ContainerName               string               `yaml:"container"`
-	ObjectNamePrefix            string               `yaml:"object_prefix"`
+	AuthURL                     secrets.FromEnv `yaml:"auth_url"`
+	UserName                    secrets.FromEnv `yaml:"user_name"`
+	UserDomainName              secrets.FromEnv `yaml:"user_domain_name"`
+	ProjectName                 secrets.FromEnv `yaml:"project_name"`
+	ProjectDomainName           secrets.FromEnv `yaml:"project_domain_name"`
+	Password                    secrets.FromEnv `yaml:"password"`
+	ApplicationCredentialID     secrets.FromEnv `yaml:"application_credential_id"`
+	ApplicationCredentialName   secrets.FromEnv `yaml:"application_credential_name"`
+	ApplicationCredentialSecret secrets.FromEnv `yaml:"application_credential_secret"`
+	TLSClientCertificateFile    secrets.FromEnv `yaml:"tls_client_certificate_file"`
+	TLSClientKeyFile            secrets.FromEnv `yaml:"tls_client_key_file"`
+	RegionName                  secrets.FromEnv `yaml:"region_name"`
+	ContainerName               secrets.FromEnv `yaml:"container"`
+	ObjectNamePrefix            secrets.FromEnv `yaml:"object_prefix"`
 	//configuration for Validate()
 	ValidateIgnoreEmptyContainer bool `yaml:"-"`
 	//Account and Container is filled by Connect(). Container will be nil if ContainerName is empty.
@@ -63,16 +66,16 @@ type SwiftLocation struct {
 
 func (s SwiftLocation) cacheKey(name string) string {
 	v := []string{
-		s.AuthURL,
-		s.UserName,
-		s.UserDomainName,
-		s.ProjectName,
-		s.ProjectDomainName,
+		string(s.AuthURL),
+		string(s.UserName),
+		string(s.UserDomainName),
+		string(s.ProjectName),
+		string(s.ProjectDomainName),
 		string(s.Password),
-		s.ApplicationCredentialID,
-		s.ApplicationCredentialName,
+		string(s.ApplicationCredentialID),
+		string(s.ApplicationCredentialName),
 		string(s.ApplicationCredentialSecret),
-		s.RegionName,
+		string(s.RegionName),
 	}
 	if logg.ShowDebug {
 		v = append(v, name)
@@ -88,6 +91,15 @@ func (s *SwiftLocation) Validate(name string) []error {
 		result = append(result, fmt.Errorf("missing value for %s.auth_url", name))
 	}
 
+	if s.TLSClientCertificateFile != "" || s.TLSClientKeyFile != "" {
+		if s.TLSClientCertificateFile == "" {
+			result = append(result, fmt.Errorf("missing value for %s.tls_client_certificate_file", name))
+		}
+		if s.TLSClientKeyFile == "" {
+			result = append(result, fmt.Errorf("missing value for %s.tls_client_key_file", name))
+		}
+	}
+
 	if s.ApplicationCredentialID != "" || s.ApplicationCredentialName != "" {
 		//checking application credential requirements
 		if s.ApplicationCredentialID == "" {
@@ -99,7 +111,7 @@ func (s *SwiftLocation) Validate(name string) []error {
 				result = append(result, fmt.Errorf("missing value for %s.user_domain_name", name))
 			}
 		}
-		if string(s.ApplicationCredentialSecret) == "" {
+		if s.ApplicationCredentialSecret == "" {
 			result = append(result, fmt.Errorf("missing value for %s.application_credential_secret", name))
 		}
 	} else {
@@ -124,7 +136,7 @@ func (s *SwiftLocation) Validate(name string) []error {
 		result = append(result, fmt.Errorf("missing value for %s.container", name))
 	}
 
-	if s.ObjectNamePrefix != "" && !strings.HasSuffix(s.ObjectNamePrefix, "/") {
+	if s.ObjectNamePrefix != "" && !strings.HasSuffix(string(s.ObjectNamePrefix), "/") {
 		s.ObjectNamePrefix += "/"
 	}
 
@@ -154,16 +166,16 @@ func (s *SwiftLocation) Connect(name string) error {
 	s.Account = accountCache[key]
 	if s.Account == nil {
 		authOptions := gophercloud.AuthOptions{
-			IdentityEndpoint:            s.AuthURL,
-			Username:                    s.UserName,
-			DomainName:                  s.UserDomainName,
+			IdentityEndpoint:            string(s.AuthURL),
+			Username:                    string(s.UserName),
+			DomainName:                  string(s.UserDomainName),
 			Password:                    string(s.Password),
-			ApplicationCredentialID:     s.ApplicationCredentialID,
-			ApplicationCredentialName:   s.ApplicationCredentialName,
+			ApplicationCredentialID:     string(s.ApplicationCredentialID),
+			ApplicationCredentialName:   string(s.ApplicationCredentialName),
 			ApplicationCredentialSecret: string(s.ApplicationCredentialSecret),
 			Scope: &gophercloud.AuthScope{
-				ProjectName: s.ProjectName,
-				DomainName:  s.ProjectDomainName,
+				ProjectName: string(s.ProjectName),
+				DomainName:  string(s.ProjectDomainName),
 			},
 			AllowReauth: true,
 		}
@@ -173,9 +185,22 @@ func (s *SwiftLocation) Connect(name string) error {
 			return fmt.Errorf("cannot create OpenStack client: %s", err.Error())
 		}
 
+		transport := &http.Transport{}
+		if s.TLSClientCertificateFile != "" && s.TLSClientKeyFile != "" {
+			cert, err := tls.LoadX509KeyPair(string(s.TLSClientCertificateFile), string(s.TLSClientKeyFile))
+			if err != nil {
+				return fmt.Errorf("failed to load x509 key pair: %s", err.Error())
+			}
+			transport.TLSClientConfig = &tls.Config{
+				Certificates: []tls.Certificate{cert},
+				MinVersion:   tls.VersionTLS12,
+			}
+			provider.HTTPClient.Transport = transport
+		}
+
 		if logg.ShowDebug {
 			provider.HTTPClient.Transport = &client.RoundTripper{
-				Rt:     http.DefaultTransport,
+				Rt:     transport,
 				Logger: &logger{Prefix: name},
 			}
 		}
@@ -199,7 +224,7 @@ func (s *SwiftLocation) Connect(name string) error {
 		}
 
 		serviceClient, err := openstack.NewObjectStorageV1(provider, gophercloud.EndpointOpts{
-			Region: s.RegionName,
+			Region: string(s.RegionName),
 		})
 		if err != nil {
 			return fmt.Errorf("cannot create Swift client: %s", err.Error())
@@ -220,20 +245,20 @@ func (s *SwiftLocation) Connect(name string) error {
 		return nil
 	}
 	var err error
-	s.Container, err = s.Account.Container(s.ContainerName).EnsureExists()
+	s.Container, err = s.Account.Container(string(s.ContainerName)).EnsureExists()
 	return err
 }
 
 // ObjectAtPath returns an Object instance for the object at the given path
 // (below the ObjectNamePrefix, if any) in this container.
 func (s *SwiftLocation) ObjectAtPath(path string) *schwift.Object {
 	objectName := strings.TrimPrefix(path, "/")
-	return s.Container.Object(s.ObjectNamePrefix + objectName)
+	return s.Container.Object(string(s.ObjectNamePrefix) + objectName)
 }
 
 // ListAllFiles implements the Source interface.
 func (s *SwiftLocation) ListAllFiles(out chan<- FileSpec) *ListEntriesError {
-	objectPath := s.ObjectNamePrefix
+	objectPath := string(s.ObjectNamePrefix)
 	if objectPath != "" && !strings.HasSuffix(objectPath, "/") {
 		objectPath += "/"
 	}
@@ -247,7 +272,7 @@ func (s *SwiftLocation) ListAllFiles(out chan<- FileSpec) *ListEntriesError {
 	})
 	if err != nil {
 		return &ListEntriesError{
-			Location: s.ContainerName + "/" + objectPath,
+			Location: string(s.ContainerName) + "/" + objectPath,
 			Message:  "GET failed",
 			Inner:    err,
 		}
@@ -265,17 +290,17 @@ func (s *SwiftLocation) getFileSpec(info schwift.ObjectInfo) FileSpec {
 	var f FileSpec
 	//strip ObjectNamePrefix from the resulting objects
 	if info.SubDirectory != "" {
-		f.Path = strings.TrimPrefix(info.SubDirectory, s.ObjectNamePrefix)
+		f.Path = strings.TrimPrefix(info.SubDirectory, string(s.ObjectNamePrefix))
 		f.IsDirectory = true
 	} else {
-		f.Path = strings.TrimPrefix(info.Object.Name(), s.ObjectNamePrefix)
+		f.Path = strings.TrimPrefix(info.Object.Name(), string(s.ObjectNamePrefix))
 		lm := info.LastModified
 		f.LastModified = &lm
 
 		if info.SymlinkTarget != nil && info.SymlinkTarget.Container().IsEqualTo(s.Container) {
 			targetPath := info.SymlinkTarget.Name()
-			if strings.HasPrefix(targetPath, s.ObjectNamePrefix) {
-				f.SymlinkTargetPath = strings.TrimPrefix(targetPath, s.ObjectNamePrefix)
+			if strings.HasPrefix(targetPath, string(s.ObjectNamePrefix)) {
+				f.SymlinkTargetPath = strings.TrimPrefix(targetPath, string(s.ObjectNamePrefix))
 			}
 		}
 	}
@@ -323,7 +348,7 @@ func (s *SwiftLocation) GetFile(path string, requestHeaders schwift.ObjectHeader
 // The given Matcher is used to find out which files are to be considered as
 // belonging to the transfer job in question.
 func (s *SwiftLocation) DiscoverExistingFiles(matcher Matcher) error {
-	prefix := s.ObjectNamePrefix
+	prefix := string(s.ObjectNamePrefix)
 	if prefix != "" && !strings.HasSuffix(prefix, "/") {
 		prefix += "/"
 	}